ICO Breach Reports Jump 75% as Human Error Dominates

The volume of data breach incidents reported to the UK’s watchdog over the past two years increased 75% as organizations geared up for the new data protection regime, according to a new FOI request.

Risk management firm Kroll also found that human error accounted for the vast majority (88%) of incidents reported to the Information Commissioner’s Office (ICO) over the past year: 2124 reports versus just 292 cases that were down to deliberate cyber-attacks.

Of these, data emailed to the wrong recipient (447) topped the list, followed by data posted/faxed to the incorrect recipient (441), loss/theft of paperwork (438), failure to redact data (256) and data left in an insecure location (164).

Unauthorized access, malware and phishing were the most common forms of deliberate attack leading to a breach.

“Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks,” said Kroll MD, Andrew Beckett. “The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”

The health sector accounted for the vast majority of incidents reported in 2017/18, but that’s in part down to pre-GDPR mandatory reporting rules for the sector. In fact, the “general business” category saw the biggest rise in incidents from 2016/17 to 2017/18 (215%), followed by education and childcare (142%), justice (128%) and legal (112%).

Beckett claimed the FOI results represent only a snapshot of the true scale of data breach incidents in the UK.

"Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organizations to report certain types of personal data breach," he said.

“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20m or 4% of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”